Konfigurasi Cisco VPN Anyconnect

Di tutorial ini tentang konfigurasi oleh karena itu perlu mengetahui juga tentang konsep VPN, VPN protocols, Remote Site, Site to site, Encryption(IPSEC,SSL), Authentication, Tunnel, Split tunnel, dll. Secara konsep semuanya sama cuman cara konfigurasi yang berbeda-beda di Linux ada software OpenVPN, Strongswan, dll. Di Windows ada RRAS. 

Untuk konfigurasi kali ini tentang konfigurasi Cisco VPN Anyconnect, tutorial ini juga cuman ringkasan dengan harapan barangkali ada yang bermanfaat oleh karena itu perlu juga di crosscheck dengan ebook, tutorial dan sumber lainnya.

Untuk konfigurasinya sederhana client akan melakukan koneksi ke VPN Server dalam hal ini Cisco ASA dengan Anyconnect nya, setelah client berhasil terkoneksi ke VPN Server maka bisa mengakses jaringan yang ada di belakang/internal Cisco ASA bisa jaringan LAN/DMZ.

1. Enable webvpn

webvpn

enable outside

anyconnect image disk0:/...

anyconnect enable

tunnel-group-list enable

2. Make a pool and object

RA = Remote Access

ip local pool RA-CLIENT-POOL 192.168.100.32-192.168.100.47

object network RA-CLIENT-NETWORK

 subnet 192.168.100.0 255.255.255.0

object-group network INTERNAL-NETWORK

 network-object 172.17.0.0 255.255.255.0

 network-object 172.18.0.0 255.255.255.0

3. Split tunnel and NAT

Split tunnel use split network(for routing client's list) and RA client network

access-list SPLIT-TUNNEL extended permit ip object-group INTERNAL-NETWORK object RA-CLIENT-NETWORK

NAT EXEMPT

If dynamic NAT is configured on Cisco ASA firewall appliance to provide internet access to all computers within a specific subnet in the Local Area Network (LAN). In this case, we need to configure NAT Exemption to exclude the remote access VPN subnet of Cisco AnyConnect remote access software from Dynamic NAT, otherwise the remote access VPN client cannot access to the resource within the internal network.

nat(any,outside) source static INTERNAL-NETWORK INTERNAL-NETWORK destination static RA-CLIENT-NETWORK RA-CLIENT-NETWORK

4. Policy

group-policy RA-VPN internal

group-policy RA-VPN attributes

 1. vpn-tunnel-protocol ssl-client

 2. split-tunnel-policy tunnelspecified

 3. split-tunnel-network-list value SPLIT-TUNNEL

5. Create users

username vpn1 password Skills39

username vpn2 password Skills39

username vpn1 attributes

service-type remote-access

username vpn2 attributes

service-type remote-access

6. Tunnel

address pool defines in client

tunnel-group RA-VPN type remote-access

tunnel-group RA-VPN general-attributes

 1. address-pool RA-CLIENT-POOL

 2. default-group-policy RA-VPN

tunnel-group RA-VPN webvpn-attributes

 1. group-alias RA-VPN enable